mirrors/qemu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
cde3c425d1
qemu/include/hw/ssi/aspeed_smc.h
Jamin Lin 05d501a1ea aspeed/smc: Fix write incorrect data into flash in user mode 
According to the design of ASPEED SPI controllers user mode, users write the
data to flash, the SPI drivers set the Control Register(0x10) bit 0 and 1
enter user mode. Then, SPI drivers send flash commands for writing data.
Finally, SPI drivers set the Control Register (0x10) bit 2 to stop
active control and restore bit 0 and 1.

According to the design of ASPEED SMC model, firmware writes the
Control Register and the "aspeed_smc_flash_update_ctrl" function is called.
Then, this function verify Control Register(0x10) bit 0 and 1. If it set user
mode, the value of s->snoop_index is SNOOP_START else SNOOP_OFF.
If s->snoop_index is SNOOP_START, the "aspeed_smc_do_snoop" function verify
the first incomming data is a new flash command and writes the corresponding
dummy bytes if need.

However, it did not check the current unselect status. If current unselect
status is "false" and firmware set the IO MODE by Control Register bit 31:28,
the value of s->snoop_index will be changed to SNOOP_START again and
"aspeed_smc_do_snoop" misunderstand that the incomming data is the new flash
command and it causes writing unexpected data into flash.

Example:
1. Firmware set user mode by Control Register bit 0 and 1(0x03)
2. SMC model set s->snoop SNOOP_START
3. Firmware set Quad Page Program with 4-Byte Address command (0x34)
4. SMC model verify this flash command and it needs 4 dummy bytes.
5. Firmware send 4 bytes address.
6. SMC model receives 4 bytes address
7. Firmware set QPI IO MODE by Control Register bit 31. (0x80000003)
8. SMC model verify new user mode by Control Register bit 0 and 1.
   Then, set s->snoop SNOOP_START again. (It is the wrong behavior.)
9. Firmware send 0xebd8c134 data and it should be written into flash.
   However, SMC model misunderstand that the first incoming data, 0x34,
   is the new command because the value of s->snoop is changed to SNOOP_START.
   Finally, SMC sned the incorrect data to flash model.

Introduce a new unselect attribute in AspeedSMCState to save the current
unselect status for user mode and set it "true" by default.
Update "aspeed_smc_flash_update_ctrl" function to check the previous unselect
status. If both new unselect status and previous unselect status is different,
update s->snoop_index value and call "aspeed_smc_flash_do_select".

Increase VMStateDescription version.

Signed-off-by: Jamin Lin <jamin_lin@aspeedtech.com>
Reviewed-by: Cédric Le Goater <clg@redhat.com>
[ clg: - Replaced VMSTATE_BOOL -> VMSTATE_BOOL_V ]
Signed-off-by: Cédric Le Goater <clg@redhat.com>
2024-10-24 07:57:47 +02:00

123 lines
3.4 KiB
C
Raw Blame History

/*
* ASPEED AST2400 SMC Controller (SPI Flash Only)
*
* Copyright (C) 2016 IBM Corp.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
#ifndef ASPEED_SMC_H
#define ASPEED_SMC_H
#include "hw/ssi/ssi.h"
#include "hw/sysbus.h"
#include "qom/object.h"
struct AspeedSMCState;
struct AspeedSMCClass;
#define TYPE_ASPEED_SMC_FLASH "aspeed.smc.flash"
OBJECT_DECLARE_SIMPLE_TYPE(AspeedSMCFlash, ASPEED_SMC_FLASH)
struct AspeedSMCFlash {
SysBusDevice parent_obj;
struct AspeedSMCState *controller;
struct AspeedSMCClass *asc;
uint8_t cs;
MemoryRegion mmio;
};
#define TYPE_ASPEED_SMC "aspeed.smc"
OBJECT_DECLARE_TYPE(AspeedSMCState, AspeedSMCClass, ASPEED_SMC)
#define ASPEED_SMC_R_MAX (0x100 / 4)
#define ASPEED_SMC_CS_MAX 5
struct AspeedSMCState {
SysBusDevice parent_obj;
MemoryRegion mmio;
MemoryRegion mmio_flash_container;
MemoryRegion mmio_flash;
qemu_irq irq;
qemu_irq *cs_lines;
bool inject_failure;
SSIBus *spi;
uint32_t regs[ASPEED_SMC_R_MAX];
/* depends on the controller type */
uint8_t r_conf;
uint8_t r_ce_ctrl;
uint8_t r_ctrl0;
uint8_t r_timings;
uint8_t conf_enable_w0;
AddressSpace flash_as;
MemoryRegion *dram_mr;
AddressSpace dram_as;
uint64_t dram_base;
AspeedSMCFlash flashes[ASPEED_SMC_CS_MAX];
uint8_t snoop_index;
uint8_t snoop_dummies;
bool unselect;
};
typedef struct AspeedSegments {
hwaddr addr;
uint32_t size;
} AspeedSegments;
struct AspeedSMCClass {
SysBusDeviceClass parent_obj;
uint8_t r_conf;
uint8_t r_ce_ctrl;
uint8_t r_ctrl0;
uint8_t r_timings;
uint8_t nregs_timings;
uint8_t conf_enable_w0;
uint8_t cs_num_max;
const uint32_t *resets;
const AspeedSegments *segments;
uint32_t segment_addr_mask;
hwaddr flash_window_base;
uint32_t flash_window_size;
uint32_t features;
hwaddr dma_flash_mask;
hwaddr dma_dram_mask;
uint32_t dma_start_length;
uint32_t nregs;
uint32_t (*segment_to_reg)(const AspeedSMCState *s,
const AspeedSegments *seg);
void (*reg_to_segment)(const AspeedSMCState *s, uint32_t reg,
AspeedSegments *seg);
void (*dma_ctrl)(AspeedSMCState *s, uint32_t value);
int (*addr_width)(const AspeedSMCState *s);
const MemoryRegionOps *reg_ops;
};
#endif /* ASPEED_SMC_H */
Reference in New Issue View Git Blame Copy Permalink